我有一个自定义角色,允许在特定 VNet 及其子网中创建 VM。我能够毫无问题地在此子网中部署单个 VM。但是,当我尝试将规模集部署到同一子网时,我会遇到以下错误:
Missing write permissions {'Microsoft.Network/VirtualNetworks/subnets/write'} for the following subnet(s):'MySubnet'
授予对 VNet 访问权限的角色具有Join Virtual Network. 为什么此权限允许 VM 部署而不是规模集部署?部署 VM 和 VM 规模集之间的 RBAC 是否存在差异?
编辑:添加角色定义
VNet 具有具有自定义网络参与者角色的 RBAC,该角色授予以下内容
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/*/join/action",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
]
资源组上的 RBAC 授予以下权限
"permissions": [
{
"actions": [
"*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Network/dnsZones/write",
"Microsoft.Network/dnsZones/delete",
"Microsoft.Network/dnsZones/*/write",
"Microsoft.Network/dnsZones/*/delete",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"notDataActions": []
}
]
